Entire process's environment attached to bugzillas by ABRT
Richard W.M. Jones
rjones at redhat.com
Sun Nov 30 13:43:39 UTC 2014
On Fri, Nov 28, 2014 at 07:39:47AM +0100, Jakub Filak wrote:
> The discussion I mentioned above was primarily about OpenStack (but the
> participants also expressed concerns about sending 'environ' to Bugzilla
> at all), where people are regularly storing their passwords and tokens
> as environment variables.
Yes unfortunately OpenStack does by default encourage people to source
a 'keystonerc_admin' file which contains authentication tokens. The
file will look something like this:
export OS_USERNAME=admin
export OS_TENANT_NAME=admin
export OS_PASSWORD=mysecretpassword
export OS_AUTH_URL=http://127.0.0.1:35357/v2.0/
For a public cloud, knowing those values could give anyone access to
the account.
How about having abrt just remove or scrub all variables that start
with /^OS_/ ? I know it's nasty to have application-specific
treatment of environment variables like this, but the number of
applications that pass auth information through environment variables
is small.
For Amazon EC2 you'd want to scrub /^AWS_/
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
More information about the devel
mailing list